Avoiding Pre-Auth/Auth Principal State Disclosure
Chris Hecker
checker at d6.com
Thu Jul 2 17:05:14 EDT 2020
Wow, thanks for taking the time for the detailed response! I will digest
this and see if I still have questions.
Chris
On Thu, Jul 2, 2020 at 10:45 Greg Hudson <ghudson at mit.edu> wrote:
> On 7/1/20 3:55 PM, Chris Hecker wrote:
> >> For example, if we treated single-component principals as users,
> > anyone with a user/admin principal (or user/root, which has no status in
> > the code but is a common convention for elevated access) would probably
> > still be detectable by an attacker.
> >
> > Not sure I follow this, why wouldn’t they be treated like a normal princ
> > if we had this obscurity feature?
>
> The difficulty is in making a "normal princ" look identical to an actual
> normal princ.
>
> Let's say we added this obscurity setting to the KDC in the following
> naive way: if an unauthenticated AS request comes in and the client
> principal isn't found in the DB, we send PREAUTH_REQUIRED. If the
> request contains preauth (of a recognizable "real" preauth type) then we
> send PREAUTH_FAILED.
>
> Service principals can (and frequently do) authenticate as clients.
> Because they have random keys, they don't generally require preauth
> (partly because preauth would be a waste of round trips when the key is
> random, and partly because PREAUTH_REQUIRED has undesirable legacy
> semantics when applied to service principals). So without first
> authenticating as a legitimate client, the attacker can distinguish
> between a dummy response and a real response for a service principal.
> Perhaps we don't care about obscuring valid service principals, but if
> we do, we have to instead respond to AS requests for service-principal
> clients with a dummy ticket (of a size indistinguishable from a
> legitimate ticket) encrypted in a random key, instead of a
> PREAUTH_REQUIRED. And because there is no formal distinction between
> user principals and service principals, we can't trivially determine
> whether the client principal (if it existed) would be for a user or for
> a service.
>
> Additionally, in a PREAUTH_REQUIRED error, we have to send etype-info
> based on the request's enctype preference order and the client and
> server principals' supported enctypes. There's no client principal
> entry, so what enctypes do we assume are supported by the client?
> Perhaps we consult supported_enctypes. What if the administrator just
> recently began a transition from aes-sha1 to aes-sha2 enctypes? Most
> real principals will only have aes-sha1 keys, but supported_enctypes
> lists the aes-sha2 enctypes. In this situation it's easy to distinguish
> dummy responses from those for most real principals.
>
> The use of more advanced preauth mechanisms might further muddy things;
> for instance, principals intended to authenticate with PKINIT might have
> no keys, and therefore no etype-info. Perhaps we allow the
> administrator to create a template principal which has similar metadata
> to the majority of user principals, and use that for dummy responses.
> Now we're asking a lot from the administrator, and any kind of enctype
> or preauth transition would still create classes of users who are
> distinguishable from the template.
>
> We'd also have to consider whether to include TGS requests in the threat
> model. If the attacker is an insider or has compromised just one client
> account, they can try to build their valid principal list using TGS
> requests instead of AS requests. If we're just trying to obscure user
> principals this might not be too hard, assuming users have DISALLOW_SVR
> set. We'd have to send back S_PRINCIPAL_UNKNOWN instead of
> MUST_USE_USER2USER when the service principal has that flag.
> (Additional attention might need to be given to the user-to-user code
> path, as the attacker could try user-to-user with a bogus TGT.) If
> we're also trying to obscure service principals, the problem becomes
> much harder; we'd have to issue dummy service tickets for invalid
> services, again making sure the ticket size isn't distinguishable, and
> making the choice of ticket session key enctype indistinguishable from a
> normal service principal. Issuing dummy service tickets would create
> many problems for legitimate users, such as breaking
> dns_canonicalize_hostname=fallback.
>
> Finally, none of the above analysis considers side channels. If a dummy
> response takes a measurably different amount of time for the KDC to
> synthesize than a normal response, an attacker still might be able to
> distinguish valid from invalid principal names.
>
More information about the Kerberos
mailing list